The standard OAuth 2.0 flow for Zoho CRM has four steps. First, the application redirects the user to Zoho’s authorisation URL with the Client ID and requested scopes. Second, the user logs in and approves the access. Third, Zoho redirects back to the application with an authorisation code. Fourth, the application exchanges the code for an access token and refresh token by calling Zoho’s token endpoint. The access token is then included in the Authorization header of all API requests.
For server-to-server integrations where no user interaction is possible, Zoho supports the Self Client type in the API Console. This generates a grant token that can be exchanged directly for access and refresh tokens without a browser-based authorisation step. This is the most common approach for backend scripts and scheduled integrations.
OAuth 2.0 is the authentication protocol for all Zoho CRM API access. It uses short-lived access tokens (1-hour expiry) and long-lived refresh tokens. External applications use a Connected App’s Client ID and Secret to obtain tokens, which are then included in API request headers.
Register a Connected App in the Zoho API Console, use the OAuth 2.0 authorization flow (or Self Client for server-to-server) to generate an authorization code, and exchange it for an access token and refresh token via Zoho’s token endpoint. Use the refresh token to generate new access tokens as they expire.
Aaxonix is a certified Zoho implementation partner based in Pune. Architecture-first, no surprises.